AWS Security ChangesHomeSearch

AWS keyspaces medium security documentation change

Service: keyspaces · 2025-07-25 · Security-related medium

File: keyspaces/latest/devguide/access.cross-account.sharedVPC.md

Summary

Clarified cross-account access configuration for Amazon Keyspaces tables, including explicit IAM role creation in Account A, updated trust policy ARNs to specific roles in Accounts B/C, and added SDK authentication reference

Security assessment

The change replaces a root ARN with specific role ARNs (Job-role-B/C), enforcing least privilege access. Explicitly specifying roles instead of root account access reduces potential attack surface. The added reference to SDK authentication documentation improves guidance for secure role assumption.

Diff

diff --git a/keyspaces/latest/devguide/access.cross-account.sharedVPC.md b/keyspaces/latest/devguide/access.cross-account.sharedVPC.md
index 73370a3e2..30b0392e5 100644
--- a//keyspaces/latest/devguide/access.cross-account.sharedVPC.md
+++ b//keyspaces/latest/devguide/access.cross-account.sharedVPC.md
@@ -24 +24 @@ In this example we use the following three accounts in a shared VPC:
-`Account A` is the account that contains the resources that `Account B` and `Account C` need to access, so `Account A` is the _trusting_ account. `Account B` and `Account C` are the accounts with the principals that need access to the resources in `Account A`, so `Account B` and `Account C` are the _trusted_ accounts. The trusting account grants the permissions to the trusted accounts by sharing an IAM role. The following procedure outlines the configuration steps required in `Account A`.
+`Account A` is the account that contains the resources (an Amazon Keyspaces table) that `Account B` and `Account C` need to access, so `Account A` is the _trusting_ account. `Account B` and `Account C` are the accounts with the principals that need access to the resources (an Amazon Keyspaces table) in `Account A`, so `Account B` and `Account C` are the _trusted_ accounts. The trusting account grants the permissions to the trusted accounts by sharing an IAM role. The following procedure outlines the configuration steps required in `Account A`.
@@ -36 +36 @@ In this example we use the following three accounts in a shared VPC:
-  4. Create an IAM role that has full access to the Amazon Keyspaces table, read access to the Amazon Keyspaces system tables, and is able to describe the Amazon EC2 VPC resources as shown in the following policy example.
+  4. Create an IAM role in `Account A` that has full access to the Amazon Keyspaces table, read access to the Amazon Keyspaces system tables, and is able to describe the Amazon EC2 VPC resources as shown in the following policy example.
@@ -54 +54 @@ In this example we use the following three accounts in a shared VPC:
-  5. Configure the IAM role trust policy that `Account B` and `Account C` can assume as trusted accounts as shown in the following example. 
+  5. Configure a trust policy for the IAM role in `Account A` so that `Account B` and `Account C` can assume the role as trusted accounts. This is shown in the following example. 
@@ -62 +62,2 @@ In this example we use the following three accounts in a shared VPC:
-                    "AWS": "arn:aws:iam::111111111111:root"
+                    "AWS": "arn:aws:iam::AccountB:role/Job-role-B",
+                    "AWS": "arn:aws:iam::AccountC:role/Job-role-C"
@@ -94 +95 @@ Allowing the principal to assume the shared role is implemented using the `Assum
-  2. In `Account B` and `Account C`, you can create applications that utilize the SIGV4 authentication plugin, which allows an application to assume the shared role to connect to the Amazon Keyspaces table located in `Account A` through the VPC endpoint in the shared VPC. For more information about the SIGV4 authentication plugin, see [Create credentials for programmatic access to Amazon Keyspaces ](./programmatic.credentials.html).
+  2. In `Account B` and `Account C`, you can create applications that utilize the SIGV4 authentication plugin, which allows an application to assume the shared role to connect to the Amazon Keyspaces table located in `Account A` through the VPC endpoint in the shared VPC. For more information about the SIGV4 authentication plugin, see [Create credentials for programmatic access to Amazon Keyspaces ](./programmatic.credentials.html). For more information on how to configure an application to assume a role in another AWS account, see [Authentication and access](https://docs.aws.amazon.com/sdkref/latest/guide/access.html) in the _AWS SDKs and Tools Reference Guide_.